In the UK, the storage and use of personal data is governed by the 2018 Data Protection Act, which implements the General Data Protection Regulation (GDPR).
The Data Protection Act protects “personal data”, which can be defined as any information relating to an identified or identifiable living individual. At a basic level, this is someone’s name, their ID numbers (such as National Insurance or passport numbers), location data (such as home address) and any online identifiers (such as IP or email addresses).
Beyond this, certain personal data is defined as “sensitive” and has additional protections under the Act. Sensitive personal data includes racial/ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data and sexual orientation.
Sensitive personal data can also include some information relating to criminal offences, particularly: data concerning the commission or alleged commission of a criminal offence; proceedings in relation to an alleged criminal offence; the outcome of such proceedings; and the sentence of a court in those proceedings.